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GUARANTEEING THE DIVERSITY OF NUMBER 

GENERATORS 


ADI SHAMIR AND BOAZ TSABAN 

Abstract. A major problem in using iterative number generators 
of the form Xi = is that they can enter unexpectedly short 

cycles. This is hard to analyze when the generator is designed, hard 
to detect in real time when the generator is used, and can have 
devastating cryptanalytic implications. In this paper we define 
a measure of security, called sequence diversity, which generalizes 
the notion of cycle-length for non-iterative generators. We then 
introduce the class of counter assisted generators, and show how 
to turn any iterative generator (even a bad one designed or seeded 
by an adversary) into a counter assisted generator with a provably 
high diversity, without reducing the quality of generators which 
are already cryptographically strong. 


1. Introduction 

In this paper we consider the problem of generating long crypto¬ 
graphically secure sequences by iterative number generators which start 
at some seed value Xq = s, and extend it by computing x* = /(xj_i) 
where / is some function. The ith output of the generator is a (typi¬ 
cally shorter) value t/* = g{xi) derived from the internal state by some 
output function g (Figure 1). If / is a secret keyed function, then g 
may be the identity. 



Figure 1. 
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A major application of number generators is to encrypt cleartexts 
by xoRing them with the generated outputs. In this case, the seed s 
is a secret key which is shared by the communicating parties, but is 
unknown to the eavesdropping adversary. 

Since the state space is finite, the sequence of internal states Xi will 
eventually become periodic with some period p, i.e., Xi = Xi+p for 
all i larger than some io- Any cycling of the state sequence causes a 
cycling of the output sequence with period at most p. A particularly 
worrisome problem is the possibility that io and p may be unexpectedly 
small, and therefore the cycling point io + P is actually achieved. This 
can happen even in very complex generators. An interesting example 
is Knuth’s “Super-random” number generator (Algorithm K) [9[ §3.1], 
which converges rapidly to a fixed point (that is, io is very small, and 

p = 1). 

If the cycling point zq + p is achieved, then the XOR of the zth and 
z -fpth ciphertexts is equal to the xoR of the Ah and z -|-pth cleartexts, 
for all z > Zq. If the cleartexts have a sufficiently high redundancy, 
the cryptanalyst can detect the cycling by noticing the non-uniform 
statistics of such xor’s, and then recover the actual cleartexts from 
their known pairwise xor’s. Even if the cleartexts have no redun¬ 
dancy, knowledge of some cleartexts will make it possible to find other 
cleartexts encrypted with the same repeated values. 

1.1. Partial solutions. 

1.1.1. Online monitoring. A possible solution to this problem is to 
monitor each execution in real time. If a particular seed leads to early 
cycling, the cryptographic operation is stopped and the seed is re¬ 
placed. However, this can be very disruptive if the exchange of new 
seeds is time consuming or difficult to arrange. Note further that real 
time detection of cycling behavior using hash tables requires a very 
large memory, whereas other methods such as Floyd’s two pointer cy¬ 
cle detection algorithm (see, e.g., |9l p. 7]) are not guaranteed to detect 
cycles as soon as they are entered. 

1.1.2. Experimental testings. The designer of the generator can test its 
behavior by applying / a limited number of times to a limited number 
of random seeds (see 0). However, such testing cannot be exhaustive, 
and thus even if no cycling is ever detected in these tests, the next seed 
or the next step can lead to a cycling. 

1.1.3. Pseudorandom functions. Pseudorandom functions f : X ^ X 
are functions which are chosen from the space of all possible functions 
g -. X ^ X with a relatively low-entropy distribution, but which are 
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difficult to tell apart from truly random functions (which are selected 
from the space of all possible functions g \ X ^ X with uniform distri¬ 
bution). For any adversary with unlimited computational power and 
access to a polynomial (in log|X|) number of values of a pseudoran¬ 
dom function /, the probability that the adversary can tell that these 
values came from / rather than from a truly random g should be neg¬ 
ligible. Pseudorandom permutations and pseudorandom sequences are 
dehned similarly to be low-entropy but difficult to distinguish from 
truly random permutations and sequences, respectively. For more pre¬ 
cise dehnitions see, m, 0, cni, m § 2 . 2 ], and references therein. 

It is easy to see (and well known) that sequences generated by itera¬ 
tive number generators with pseudorandom functions / are pseudoran¬ 
dom. Thus, the probability that such a generator enters a small cycle 
is negligible. However, all known constructions of pseudorandom func¬ 
tions are slow and are based on unproved conjectures (see m §17.9]). 
In fact, all practical functions used in cryptography are ad-hoc con¬ 
structions which are not proved to be pseudorandom, and nothing is 
known about the actual structure of the cycles they generate^ This 
is particularly worrisome for the user, since there is no guarantee that 
the generators that he uses do not contain a trapdoor leading to short 



1.1.4. Mathematically structured generators. The need to avoid short 
cycles is the major motivation behind the development of several fam¬ 
ilies of generators based on mathematical structures. These families 
include: Linear congruential generators, linear feedback shift registers 
(LFSR’s), clock-controlled LFSR’s, additive generators, feedback with 
carry shift registers, 1/p generators (see [T6l §§16-17] and references 
therein), and TSR’s [18]. Under certain conditions, these families can 
be proved to have large cycles. 

The drawback of this approach is that their mathematical structure 
can be often used to cryptanalyze them (see [T6l loc. cit.] for references 
to cryptanalysis of various implementations of the mentioned genera¬ 
tors). 

1.1.5. Re-keying. Chambers |3] suggested a technique to reduce the risk 
of short cycles by restarting the generator’s internal state every hxed 
number of iterations, with a new key seed taken from a “re-keying” 

^ A notable exception appears in [5] and [3, where the cycle structure of non¬ 
linear feedback shift registers is studied. However, the obtained results cover only 
degenerate cases. Moreover, in [5] it is proved that the studied generators must 
have short cycles. 

^Knuth’s example could be viewed as such a trapdoor generator. 
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generator which has a provably large cycle (e.g., one of the generators 
mentioned in Section fl. 1.41) . 

Given an iterative generator, let pk, k = 1,2,..., he the probability 
that the cycling point of the generator occurs after at least k iterations. 
Assume that we use the generator to get an output sequence of size 
m. The probability that we do not reach the cycling point in the usual 
iterative mode is pm- Now, if we re-key the generator every k iterations, 
then the probability that we do not reach the cycling point even once 
is p^^^ ■ As nothing is known on the cycle structure of the generator, 
there is no guarantee that is greater than pm- It may thus be 
the case that the re-keying mode is worse than the standard iterative 
mode. 

Moreover, if the re-keying generator is cryptographically weak, then 
it could be cryptanalyzed from the outputs which come immediately 
after the re-keying phases. 

One should note further that, as Schneier points out in [161 §17-11], 
algorithms that have a long key setup routine are not suitable for this 
mode. 

1.1.6. Similarity transformations and counter-mode. Another possible 
solution is to take some simple permutation u which is guaranteed to 
have long cycles (e.g., u{x) = x -f- 1 (mod n), or any of the examples 
from Section [1.1.411 . and then to use fuf~^ (instead of /) as the it¬ 
eration function. This similarity transformation has the same cycle 
structure as u. 

Such a construction is, though, rather degenerate. Let (/, g) stand 
for a generator whose iteration function is /, and whose output function 
is g. Consider a generator of the form {fuf~^,g). Define g = g o f. 
Then for all seeds s, setting s = implies that the Ah output 

is 9{{fuf-y{s)) = g{fu^f~\s)) = {g o f){u\s)) = g{u^{s)), that 
is, the generator is equivalent to the generator {u, g). This means 
that the modified generator is equivalent to another generator with a 
cryptographically weak iteration function. 

For u{x) = x-l-1 (mod n) we conclude that for some g, the Ah output 
of the generator equals g{s-\-i). Generators of the form pi = g[s + i) are 
called counter-mode generators, and are a standard mode of operation 
[T^ §9.9]. However, such generators have the following unpleasant 
property: The difference of any two input values s -\-i and s -\- j to g is 
simply i — j. If i is close to j, then i — j has a small Hamming weight. 
This fact could be used in differential or correlation cryptanalysis of g. 
This is also the case for other choices of u, e.g., if u is an LFSR, then 
M*(s) and u^{s) are equal in all except for i — j bits. 
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2. The diversity oe sequence generators 

In this section we propose a new notion of security for sequence 
generators, which generalizes the cryptographically desirable concept 
of long cycles. 

We hrst dehne the notion of diversity for a single inhnite sequence. 

Definition 2.1. The diversity of a sequence x = (xq, Ti, 0 : 2 ,...) is the 
function Dg{k) for k = 1, 2, 3,... dehned as the minimum number of 
distinct values occurring in any contiguous subsequence a;*, Xj+i,..., Xi+k-i 
of length k in x. 

All of the sequences considered in this paper have a finite sample 
space of |X| = n possible values. For any sequence x in X, 

1 < + 1) < '^x{k) + 1 < n. 

In other words, the diversity grows monotonically and at most linearly 
with k, and cannot exceed n. 

We now generalize the concept from sequences to generators. We 
hrst dehne the types of generators considered in this paper: 

Definition 2.2. An iterative generator is a structure Q = {X, T, / : 

X ^ X,g : X ^ Y), where for all x E X, f{x) and g{x) can be 
computed in polynomial time from x. X is the state space, and Y is 
the output space. We may write Q = (/, g) for short, or Q : Xi = /(a;j_i) 
if the output function is not relevant. For a generator Q Xi = /(a;j_i) 
and seed s G X, we denote the state sequence {xq = s,Xi,.. .) of the 
generated internal states by G{s). 

We wish to bound from below the diversity of the sequences of in¬ 
ternal states generated from possible seeds. 

Definition 2.3. The diversity of an iterative generator Q : Xi = 
f{xi-i) is the function 

1)g{k) = min{Dg(s)(fc) : s G X} 

dehned for A; = 1, 2, 3,.... The total diversity of Q is the limit lim^^oo 

Iterative generators on hnite spaces have simple diversity functions. 

^ Anderson, et. al., [5] suggested a statistically-oriented notion of diversity for 
random number generators, based on experimental testings of the generator. These 
testings give estimations for the average case behavior, whereas our notion bounds 
the worst case behavior of the generator. Moreover, the combinatorial nature of 
our notion will make it possible to use mathematical theory in order to apply it 
to cases where experimental testings are not suitable (e.g., when the state space is 
huge). See also Section 11. 1.21 
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Lemma 2.4. Assume that Q Xi = f{xi-i) is an iterative generator. 

(1) Let X be a sequence (of internal states) created by Q. Then 
'^x{k) = min{/c,p} where p is the length of the cycle that x 
enters into. 

(2) S)g(fc) = min{/c,p} where p is the length of the shortest cycle 
in f. 

Proof. X has distinct values before it enters the cycle and while it com¬ 
pletes the hrst traversal of the cycle. This implies (1), and (2) follows 
from (1). □ 

The diversity of an iterative generator is thus directly related to the 
size of its smallest cycle. It is intended to capture one aspect of the 
worst case behavior of a generator, in the sense that generators with 
provably high diversity cannot repeat a small number of internal states 
a large number of times as a result of an unlucky or adversarial choice 
of seed. 

The diversity measure can be applied to noniterative generators, in 
which the computation of Xj may depend on its index i as well. 

Definition 2.5. A counter-dependent generator is a structure Q = 
{X,Y,F : X xN ^ X,g : X ^ Y), where for a\\ x e X and i e M, 
F{x, i) and g{x) can be computed in polynomial time from x. X is the 
state space, and Y is the output space. In this type of generators, the 
next state is calculated by Xi = F{xi-i,i). Here too, we denote the 
state sequence (xq = s, xi,...) of generated internal states by Q{s). 

Note that iterative as well as counter-mode generators are particular 
cases of counter-dependent generators. A straightforward generaliza¬ 
tion of Dehnition 12.31 for counter-dependent generators is: 

Definition 2.6. 

(1) The diversity of a counter-dependent generator Q : Xi = F(xi_i, i 

is the function Dgi^k) = min{S5g(s)(/c) : s G X} dehned for 
k = 1,2,3,.... The total diversity of Q is the limit 

\imk^^'Y)g{k). 

(2) A counter-dependent generator Q : Xi = F{xi-i,i) is Q{k)- 
diverse if Dg{k) > Q{k) for all k = 1,2,.... 

The diversity of a general counter-dependent generator can grow and 
freeze in an irregular way when k increases, since these generators are 
not forced into a cycle when they accidentally repeat the same Xj value. 
The diversity function is thus a natural generalization of the notion of 
cycle size. 
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3. Modieying generators 

In this section we consider several ways in which we can modify a 
given iterative generator in order to increase its diversity. The main 
intuitive conditions we impose on this process are: 

Condition 3.1. We do not want to design the new generator from 
scratch. We usually prefer to use known and well studied primitives 
such as DES, RC5 or nonlinear feedback shift registers, for which highly 
optimized code can be easily obtained or reused from other parts of 
the application. We thus want the modihed design to use the same 
cryptographic ingredients as the original design. 

Condition 3.2. The computational complexity of the modihed next- 
state function must not be signihcantly greater that that of the original 
one. 

Condition 3.3. The modihcation technique should be uniformly ap¬ 
plicable to all iterative generators, treating them as black boxes. We 
do not want the modihcation to be based on the mathematical or sta¬ 
tistical properties of the given iteration function /. In particular, we 
can not assume that we know the structure of its cycles. 

Condition 3.4. We are more interested in increasing the diversity of 
the interval values Xi than in increasing the diversity of the output 
values yi = g{xi): If the given generator uses an output function g 
with a small range (e.g., a single bit) applying diversity measures to 
the output values is meaningless. 

The modihcation should be a win/win situation: If the given genera¬ 
tor has a low diversity, the problem should be rectihed, but if the given 
generator is already strong, we do not want the modihcation to weaken 
it. The problem is that we do not have a general quantitative dehnition 
of the “goodness” of generators, except when they are “perfect”. We 
thus concentrate in this paper on the following formal interpretation. 

Condition 3.5. 

(1) For any given iteration function, the modihed generator should 
be g(fc)-diverse for some g(fc) which is exponential in logn. 

(2) If the iteration function / is pseudorandom, then the state se¬ 
quences generated from random seeds by the modihed generator 
should be pseudorandom. 

As in counter-mode (see Section Tl.l.bp . our black box modihcation 
technique is based on turning the iterative generator into a counter¬ 
dependent generator, allowing x* to depend on i in addition to Xj_i. 
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To sharpen our intuition, let us consider some bad constructions. (In 
the following examples and throughout the paper, the state space X is 
identihed with the set {0,1,..., n — 1}, and addition in the state space 
is carried modulo n.) 

Example 3.6. Xi = i. This function has maximal diversity, but poor 
cryptographic quality. 

Example 3.7. Xi = f{i)- This is the standard counter-mode. Perfect 
generators remain perfect, but for a constant / the diversity is 1. 

Example 3.8. Xi = f{i) + i. This is a simple combination of the 
previous two examples. Perfect generators remain perfect, but for 
f{x) = —X, all the generated Xi are 0, and thus the diversity is 1. 

Example 3.9. Xi = f{xi-i -b i). This is an attempt to force the next 
state to depend both on the previous state and on the index. Perfect 
generators remain perfect, but the generated sequence has diversity 1 
when / is a constant function. 

Example 3.10. Xi = f{xi-i + i) + i. This is the “kitchen sink” ap¬ 
proach, trying to combine all the ingredients in all possible ways. How¬ 
ever, when the function / is f{x) = —x, the sequence generated from 
any initial seed xq = s is s, —s, s, —s, s, —s,... which contains at most 
two values. 

Considering these counterexamples, the reader may suspect that all 
black box modihcations are bad (for some /). In the next section we 
show that this is not the case. 

4. A PROVABLY GOOD MODIFICATION TECHNIQUE 

Given an iterative generator (/, g) , we apply the following black-box 
modihcation. 

Definition 4.1. A counter-assisted generator {f,g) is a generator in 
which xq = s, and for alH > 1 = /(a;j_i) -|- i (mod n), where n is 

the size of the state space, and the Ah output is g{xi) (see Figure 2). 

Since it is easy to maintain or obtain a counter for the number of 
values produced so far (in many applications, one can use either the 
loop counter or the running block-number as a counter for the counter- 
assisted mode), and no change is made in the function / or g, the 
modihcation technique is completely trivial and can be applied to any 
iterative generator without increasing its complexity. 



GENERATORS WITH GUARANTEED DIVERSITY 


9 


1 4 



Figure 2. 

Formally, for all generators (X, Y, f, g ), the counter assisted modified 
generator is in fact the iterative generator (X x {0,..., n — 1}, F, F, G), 
where 


F{x,i) = {f{x)+i (modn),i + l (mod n)) 

G{x,i) = g{x) 

( 1 ) 

However, note that: 

(1) The only secret part is located in the x coordinate, 

(2) incrementing i has no cryptographical signihcance, and 

(3) the output calculation G{x, i) is independent of the i-coordinate. 

Thus applying diversity measures on the whole state space X x {0,..., n— 
1}—that is, measuring the diversity of the sequences of pairs {xi,i), 
i = 1,2,...—is misleading (and, in fact, not informative). This is 
why the diversity measure is focused on the actual state sequences 
Q{s) = {xq = s,Xi, ...) rather than on the sequence of pairs {xi, i). 

Lemma 4.2. Let x = {xq,Xi,X 2 , ■ ■ ■) he a state sequence of a counter 
assisted generator. Then for all i ^ j (mod n), if Xi = Xj then Xj+i ^ 
Xj+i and Xi^i ^ 

Proof. We argue modulo n. By dehnition, Xj+i = f{xi) + (i + 1) and 
Xj+i = f{xj) + {j + l). If Xi = Xj but i 7 ^ j, then necessarily Xj+i ^ Xj+i. 
Now, for the very same reason, Xi_i = Xj^i would imply Xi ^ Xj, which 
is not the case. □ 

In other words, the sequence x has the interesting property that 
equality at any pair of locations implies inequality at the pair of their 
immediate successors and the pair of their immediate predecessors. We 
call this the isolated equality property. This is the intuitive reason why 
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counter assisted generators cannot enter short cycles: If they acciden¬ 
tally generate the same value at several locations, all the subsequent 
computations are guaranteed to diverge rather than converge. 

Theorem 4.3. 

(1) The black box modification technique modifying G : Xi = f{xi_i) 
to G' '■ Xi = f{xi-i) +i (mod n) is ma.x{g{k),l){k)}-diverse, 
where 



k < n 
n < k 


(2) If the iteration function f is pseudorandom, then the state se¬ 
quences generated from random seeds by the modified generator 
are pseudorandom. 

Proof. (1) We hrst show that g{k) < Dgfik) for all A: = 1, 2,_ Con¬ 

sider any sequence of k consecutive values Xi,Xi+i,... ,Xi+k-i ifi < 
n-|-1), and assume that it contains exactly v distinct values. There are 
possible ordered pairs of these values (a, 6), and by Lemma W7I\ each 
one of them can occur at most once in a consecutive pair of locations 
{xj,Xjj^i) along the sequence. Since there are k — 1 such locations, 
> A: — 1, which yields the desired lower bound on u. 

Next, we need to show that f)(A:) < Dgfik) for all A: = 1, 2,.... In a 
sequence of k consecutive values Xi, Xj+i,..., Xi+k-i {k < n 1), each 
Xj is of the form Cj -f j, where Cj G Im(/). Since we add k distinct 
values to at most |Im(/)| values, we get at least A:/|Im(/)| distinct 
values. 

(2) We now sketch the proof of the pseudorandomness part. Consider 
the following sequence of oracles, which accept a number k (which 
is polynomial in logn) and output a sequence Xi,...,Xk G X. (By 
random we mean statistically independent and uniformly distributed.) 

Oracle 1: Returns a random sequence Xi E X [i = 1,2,..., k). 

Oracle 2: Chooses a random seed Xq = s, and dehnes an f : X ^ X on 


the fly, as follows: 

(1) A flag Birthday is initially set to 0. 

(2) For each i = 1, 2,..., A:: 

— If /(xj-i) is undehned, then choose a random y E X 
and dehne f{xi-i) = y. 

— Otherwise, set Birthday = 1. 

(3) Set Xi = f{xi-i) + i. 

The remaining values of / are chosen randomly. 
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Oracle 3: Chooses a particular function / with uni form probability from 
the set of all functions from X to X, chooses a random seed 
Xq = s, and returns the sequence Xt with xt = f{xi_i) + i, 
i = 1,2,... ,k. 

Oracle 4: Same as Oracle 3, but with / pseudorandom instead of truly 
random. 

We say that two oracles are distinguishable if there exists a (not nec¬ 
essarily polynomial time) algorithm (called distinguisher) which, for 
some constant c > 0, given a sequence of length polynomial in logn, 
can tell with probability greater than l/log(?7,)'^ which oracle has gen¬ 
erated this sequence. Otherwise, the oracles are indistinguishable. It 
is clear that Oracles 2,3 are indistinguishable. That Oracles 3,4 are 
indistinguishable follows from the fact that any distinguisher of these 
oracles can be used to construct a distinguisher of pseudorandom func¬ 
tions from random ones. 

It remains to show that Oracles 1,2 are indistinguishable. The only 
possible constraint on the output of Oracle 2 happens when / is applied 
twice to the same argument, that is. Birthday is set to 1. It is well-known 
that for << n, the probability that no birthday occurs is close to 
[13. which is negligible if k is polynomial in logn. □ 

Remark 4.4. The upper bound on the distinguishing probability is 
tight: In probability close to |^, a birthday Xi = Xj occurs and the 
distinguisher can check that Xj+i — (i -f 1) = Xj+i — (j -|- 1). Provided 
this, the probability that the output came from Oracle 1 is 1/n. 

5. Asymptotic tightness of the provable diversity 

The square root lower bound on the diversity may seem to be an arti¬ 
fact of the proof technique. We hrst consider the purely combinatorial 
version of the problem: What is the longest sequence one can construct 
from u distinct symbols which has the isolated equality property? 

Lemma 5.1. For any positive integer v, there exists a seguence of 
length + 1 consisting of v symbols and having the isolated eguality 
property. 

Proof. Let O be a complete directed graph with z/ vertices and di¬ 
rected edges (including self loops). As the graph is connected and the 
indegree and outdegree of each vertex in C is the same (= p), the 
graph is Eulerian. Let voCoViei... v^ 2 _ie^ 2 _iVo be an Eulerian tour, 
which includes each directed edge exactly once. Assume that for some 
distinct i and j, Vi = Vj. If Uj+i = Uj+i, then necessarily e, = Cj, 
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which is disallowed in Eulerian tours. Similarly, Vi-i = Vj-i would im¬ 
ply ej_i = ej_i. Consequently, the sequence has the isolated equality 
property. □ 

This combinatorial result does not rule out the possibility that se¬ 
quences created by counter assisted generators must satisfy additional 
constrains, and as a result the lower bound in Theorem 14.31 can be im¬ 
proved signihcantly. We will show that this is not the case: We prove 
the asymptotic tightness of our lower bound by constructing for each 
n a specihc counter-assisted generator, such that the total diversities 
of these counter-assisted generators are 0{^/n). 

Theorem 5.2. There exist functions fn, n = 1,2,... such that the 
total diversities of the counter assisted generators Qn ■ Xi = 

fn{,Xi-i) + i (mod n) are 0{^/n). 

Proof. Fix a natural number n. We will write for short / and Q instead 
of fn and Qn, respectively. 

The state sequence of Q will be based on two sequences: oq, ui,..., Oa-i 
and bo,bi,..., bg^i (the values of a and /3 will be determined later). The 
sequences are “meshed” as follows: 

(1) Locations with even indices contain only the a, values, and lo¬ 
cations with odd indices contain only the bj values. 

(2) The Oj values occur in block order: The hrst (3 occurrences are 
Oo, the next f3 occurrences are Oi, and so on. 

(3) The bj values occur in cyclic order: The hrst (3 occurrences 
are b^,... fog-i in this order, the next [3 occurrences are again 
bo,, bi 3 _i in this order, and so on. 

Putting these blocks in consecutive rows, we get a matrix C = (qj) 


of size a x 2(3, where Ci^ 2 j 

= 

Qi and 

bj. 



/ Uo 

bo 

Go 

bi ■ 

Go 

1 

C = 

Ui 

bo 

ai 

bi ■ 

Gi 

1 . . 


1 

bo 

Ga—l 

bi ■ 

Gq^—\ 

bg-i) 


We dehne a function / for which the counter assisted generator Q : 
Xi = /(xj_i) -|- i, seeded by xq = Oq, has state sequence equal to our 
meshed sequence. 

We begin with a few simple restrictions on our parameters. For 
cyclicity the counter must return to 0 after 2aj3 steps, that is, 2a(3 = 0 
(mod n). We will consider a’s and /3’s such that 2a(3 = n to make the 
sequence shorter. The isolated equality property implies that all of the 
Oj and bj values are distinct. Thus, the total diversity will he a + (3. 
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Under these restrictions, we can see via elementary calculus that the 
choice a = f3 = ^/n/2 yields the minimum possible total diversity of 
a + (3 = v^ 2 n values. 

We thus begin with n’s for which n/2 is a square, and choose a = 

13 = A/n72. 

We now consider the specific values of the elements in our meshed 
sequence. The conditions are: Qj+i = /(cjj) + 2(31 + (j + 1), Cj+i^o = 
/(ci, 2 / 3 -i) + 2/3(i + 1) - 1, and Cqo = /(c„_i, 2/3-1) + 2a(3. In terms of 
the tti and hj this is: 

bj = f (cii) + 2(3i + {2j + 1) 

a, = f{b,) + 2Pt + {2j + 2) (j = 0,...,/3-2) 

tti = /( 6 / 3 - 1 ) + 2(3i 

Setting X = f{ao), the first equation yields bj = x + {2j + 1) for 
i = 0. Putting this back in the equation we get that /(a*) = x — 2j3i 
for all i. Similarly, the second equation implies (setting y = /(&o)) 
ai = y + 2{3i + 2 and f{bj) = y — 2j for all j < (3 — 1. The third 
equation with i = 0 gives /( 6 / 3 - 1 ) = Qq = y + 2. 

We therefore have, for any choice of x,y, the following requirements: 

tti = y + 2 + 2(3i X — 2(3i 
bj = x + l + 2j 4 y- 2j {j <13- 1) 

6 / 3-1 = X — 1 + 2P y + 2 

It is easy to check that any such dehnition yields the desired sequence of 
states, as long as the resultant a* and b/s are disjoint. As we assume 
that n is even, choosing any x and y having the same parity (e.g., 
X = y = f)) will do. 

The values of / on X \ {a*, bj} can be arbitrary. It remains to check 
that the sequence is repeated after every a ■ 2(3 steps. Indeed, the 
counter will be 2al3 = 0 (mod n), and thus X 2 af} = f{x 2 a/ 3 -i) + 0 = 
/( 6 / 3 - 1 ) = ao, so we are right where we begun. 

We now treat the cases where n/2 is not a square. Set a = (3 = 
[y/n/2J, and dehne a*, bj, and / as above. Now modify f{x) to 
f{x mod 2a(3). The above argument shows that if we project the state- 
sequence X modulo 2aP, we get diversity at most a + P = 0{y/n). 
Therefore, the actual diversity can be no more than 0{^/n)■\n/{2aP) ] = 
0 (v /^)-2 = 0 (yi^). □ 
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Remark 5.3. In most practical cases, n/2 is not a square and thus we 
cannot achieve the exact a/^ upper bound using our meshing con¬ 
struction. However, in many cases n is an even power of 2 (e.g, 2^“^, 
232 , 264 ^ 2 ^ 28 ^ etc.), so we can choose a = ^/n and f3 = ^/n/2 (note that 
2(4/5 = n) to get total diversity a + {3 = ?>^/n/2^ which is close to the 
■\/ 2?2 upper bound achieved in the case where n/2 was a square. 

Our construction showed that the bound y/n for the total diversity 
is asymptotically tight. However, we do not have a construction where 
Dg(fc) is 0{\/k) for all k simultaneously. 

Open problem 5.4. Does there exist a constant c such that for all 
sufficiently large n, there exists a counter-assisted generator Q (with 
state space of size n) such that 'Dg{k) < c\/k for all kl 

6. Cascade counter-assisted generators 

In this section we generalize the notion of counter-assisted genera¬ 
tors. 

A Latin square is a binary function which is uniquely invertible given 
its output and any one of the inputs. For example, the operations 
X + y (mod n), x — y (mod n) and x (By are Latin square operations. 
Moreover, every group operation is a Latin square operation, and if 
X -k y is & Latin square operation and P,Q, Z are permutations, then 
Z{P{x) k Q{y)) is a Latin square operation. Let * be a Latin square 
operation. 

It is easy to see that the proof of Theorem 14.31 applies when the +i 
modification is replaced by any Latin square operation -ki (unique in- 
vertibility with respect to the i input guarantees the isolated equality 
property, and unique invertibility with respect to the Xi input guar¬ 
antees the pseudorandomness of the states). We can thus extend the 
concept of counter assisted generators to include these cases as well. 

Remark 6.1. When n is a power of 2, we can use essentially the same 
construction as in the proof of Theorem 15.21 to show the optimality of 
the lower bound when the +i (mod n) modification is replaced 

by a ©z modification. 

The next lemma shows that counter-mode generators are a degener¬ 
ated case of counter-assisted generators. 

Lemma 6.2. Every counter-mode generator is a counter-assisted gen¬ 
erator. 
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Proof. A counter-mode generator with ith output g{s-ki) is equivalent 
to the counter-assisted generator Q = (/, g), where f = s, and the Latin 
square operation is a, since in this case, Xt = /(xj_i) -ki = s-ki. □ 

We can extend the notion of counter-assisted generators further. 
Assume that Q = (/, g, X, Y) is an iterative generator, and let c = 
(co,ci,...) be any sequence of elements in X. Dehne the sequence- 
assisted generator Q kc c to be the generator whose Ah state is Xi = 
/(xj-i) ACj (and whose Ah output is g{xi)). 

Theorem 6.3. Let Q = {f,g)-kc be a sequence-assisted generator. 
Then: 

(1) ^g{k) > \/Ds{k) — 1 for all k = 1 , 2 ,.... 

(2) If the the sequence c is pseudorandom, then the state sequence 
of Q is pseudorandom. 

(3) If f is pseudorandom, then the state sequence of Q is pseudo¬ 
random. 

Proof. (1) As in Lemmawe can show that c* ^ Cj implies (xj_i, a:,) 7 ^ 
{xj-i,Xj). The rest of the proof is similar to the proof of Theorem 

I13K1). 

( 2 ) If the state sequence of Q is not pseudorandom, then the sequence 
c can be distinguished from pseudorandom noise by considering (/, g) a 
c, and looking at the state sequence of Q. 

(3) This is proved as in Theorem I4.3f 2h the only difference is in the 

dehnition of Oracle 3. □ 

Thus, any sequence c with large diversity can be used instead of a 
counter. In particular, we can use the output of any of the generators 
mentioned in Section [1.1. 41 as the assisting sequence. In general, assume 
that C is any generator with output in X. Dehne ^ a C = ^ a c, where 
c = (cq. Cl,...) is the output sequence of C (note that the sequence c 
depends of the initialization of C). The following dehnition is inductive. 

Definition 6.4. ^ is a cascade counter-assisted generator if: 

( 1 ) ^ is a (standard) counter-assisted generator, or 

(2) Q = IFkC, where IF is an iterative generator, a is a Latin square 
operation, and C is a cascade counter-assisted generator. 

In particular, we have: 

Lemma 6.5. Every iterative generator is a cascade counter-assisted 
generator. 

Proof. If Q is an iterative generator, and C is a generator with output 
function 0 , then ^ C = ^ is a cascade counter-assisted generator. □ 
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Thus the notion of cascade counter-assisted generators extends those 
of iterative, counter-mode and counter-assisted generators. 

Ideally, all internal states of the cascaded generators (including the 
starting position of the counter i) should be initialized by random, 
independent seeds. If this is not feasible, one can, e.g., initialize the 
“driving” generator or the counter with a random seed, and then clock 
the cascade a few times to make all internal states depend on the 
seed. In this case, however, caution must be taken to make sure that 
particular choice of output functions does not make the influence of 
the seed “vanish” while going down the cascade. 

Example 6.6. Assume that the generators A, B, and C have state 
spaces of size n = 2^^® (256 bits). Assume further that the generator 
C is counter-based with an invertible output function gc, and that the 
output function of B is invertible as well. Consider the total diversity 
of the cascade generator A+ {B Q)C) (see Figure 3): As C is counter- 
based, we have Ttcin) = n. Thus by Theorem 16.31 (and discreteness), 
2 ?s®c(^) > \\/n - 1 ] = 2 ^ 28 ^ 2Da+(b®c)(r) > - 1] > 

2®^. Moreover, if the output function of C, or any of the iteration 
functions of B, A is pseudorandom, then the state sequence of A is 
pseudorandom as well. (We can also use, e.g., a maximal length LFSR 
instead of the counter-based generator C to get the same results.) 



Figure 3. 

Remark 6.7. In this section we have seen that every iterative generator 
can be viewed as a cascade counter-assisted generator (in a degenerate 
manner). On the other hand, as mentioned in Section 01 every counter- 
assisted generator can be viewed as an iterative generator (with a larger 
state space). The advantage of our approach is that we focus on the 




















GENERATORS WITH GUARANTEED DIVERSITY 


17 


cryptographical part of the generator, from which the output is calcu¬ 
lated, rather than on the state of the whole system. 

7. Generating sequences with maximal diversity 

If we allow the design of a new output function g, then we can modify 
any generator to have the maximal possible diversity 'S>g{k) = k for all 
/c = 1, 2 ,..., n. 

Definition 7.1. Let Q be any iterative generator. Modify its next- 
state function as follows: 

X2i+1 = f{x2i) 

X2i+2 = f{x2i+l)+i 

That is, the counter is incremented and added to the state value only 
once every two iterations of the generator. The pair of generated 
values {x 2 i,X 2 i+i) is used as the argument of a new output function 
g' : X X X ^ Y X Y. We call this mode of operation the two-step 
counter-assisted mode. More generally, the t-step counter-assisted mode 
is dehned by incrementing and adding the counter once every t iter¬ 
ations, and using each t-tuple as the input of a new output function 
g : X^ ^ Y*. Formally, the f-step generator Q = (/, g, X, Y) with Latin 
square operation xi is the counter-assisted generator = (/, X*, Y^) 

with the (injective) operation Ai, where 

• /(Xo, . . . , Xt-i) = (/(Xt-i), f{Xt-i), ..., 

• {xo ,..., Xt_i)M = {xo ,..., xt-i A i), and 

• 7 is a cyclic counter in the range 0,1 ,..., n — 1. 

Note that t-step counter-assisted generators require a state buffer of 
size t. 


x2 


xl 



Figure 4. A two-step counter-assisted generator 

For all t > 2, any t-step counter-assisted generator has maximal 
possible diversity: 
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Theorem 7.2. For any generator Q = {f,g), and for all t > 2, we 
have the following: 

(1) If f is pseudorandom, then the state sequences of are pseu¬ 
dorandom. 

(2) Dgt[k) = k for all k = 1,... ,n. 

Proof. The proof of the pseudorandomness part is similar to that in 
Theorem I4.31 

To prove the diversity part, assume that for some i ^ j (mod n) we 
have equality between the f-tuples {xu, ..., Xu+t-i) and {xjt, ..., Xjt+t-i) 
In particular, Xit+t -2 = Xjt+t- 2 - But this implies Xu+t-i = f{xu+t- 2 ) + 
i 7 ^ f{xjt+t- 2 ) + j = Xit+t-i (mod n), a contradiction. □ 

7.1. Black-box modifications of the output function g. If the 

computational complexity of evaluating the new output function g' in 
the two-step mode is at most double that of evaluating g, then on 
average, the computational complexity of obtaining the next output 
does not change: We clock the generator twice, but we get two outputs 
at once. If the output space Y is equal to X then we can get very close 
to this without designing a new output function. 

We will use the terminology of [13]. For a function g : X ^ X, 

define the Feistel permutation Dg : X x X ^ X x X hj Dg{L, R) 
{R,L © g{R)). (Here too, any Latin square operation * can be used 
instead of ©.) 

If the output function g is key-dependent, then we can use a Luby- 
Rackoff construction. Denote the key space by K, and assume that the 
size of the key space is exponential in logn. 

Theorem 7.3. Assume that the mapping k ^ g^ is pseudorandom, 
and that ki, K 2 , and A 3 are pseudorandom elements of K. Then for 
all functions f : X ^ X and seeds Xq G X, the two-step generator 
(/, Dg^^ o Dg^^ o Dg^^) hos pscudorandom output. 

Proof. By Theorem 17.21 for all iteration functions / and seeds Xq G X, 
the inputs to Dg^^ o Dg^^ o Dg^^ are all distinct. By a result of Luby 
and Rackoff HU, this implies pseudorandomness of the output. □ 

This construction makes the output calculation slower by a factor of 
3:2. The computational complexity of the following alternative is closer 
to the desired optimum, and is a more straightforward modification. 

Theorem 7.4. Assume that g : X ^ X is pseudorandom, and assume 
that h : X ^ X is pseudorandomly chosen from a family H of functions 
such that for all distinct x,y E X and for all z E X, the probability 
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that h{x) © hiy) = z {h & H) is negligible. Then for all functions 
/ : X — > X and seeds Xq G X, the two-step counter-assisted generator 
(/, DgO DgO Dfi) has pseudorandom output. 

Proof. By a result of Lucks [I2] (see also [13] ), DgO DgO is pseudo¬ 
random. The rest of the proof is like in Theorem 17.31 □ 

There exist very efficient families H with the property mentioned in 
Theorem 17.41 fsee [T3] for examples and references). Thus, the compu¬ 
tational overhead of applying h is small, and the resulting generator 
is almost as efficient as the original one. Note that, unlike the results 
in earlier sections, we get here a black-box modihcation of an iterative 
generator (/, g) which has maximal output diversity, and if either one 
of the functions / or is pseudorandom, then the output sequence is 
pseudorandom. 

Example 7.5. Let / = DES [Tl|, g = RC5 [15], and : {0,1}®“^ — 
{0,1}®^ be a function from Vazirani’s shift family (the ith bit of hi^{x) is 
mod 2, see [13] and [IS]). The two-step counter-assisted 
generator (DES,Z 1 rc 5 ° -Drc 5 o Dh^) has maximal (state and output) 
diversity k for all /c = 1, 2,..., 2®^. On average, the calculation of any 
output 64 bit block requires a single invocation of DES and a single 
invocation of RC5. The execution time overhead of the rest of the 
operations is negligible. Furthermore, if either one of the two functions 
DES and RC5 is difficult to distinguish from random, then the output 
sequence will be difficult to distinguish from random as well. 

Open problem 7.6. Assume that both / and g are (truly) random, 
and consider an output sequence of length m generated from a random 
seed by the two-step counter-assisted generator = {f,Dg o Dg). 
What is the highest distinguishing probability between such a sequence 
and a random sequence? 

Remark 7.7. Using the results from [13], we get that for all t, the 
output function of the t-step counter-assisted mode can be modihed in 
a black-box manner with a small computational overhead, to get the 
same diversity and pseudorandomness results. See [13] for details. 

Remark 7.8. In certain cases, when t is large (e.g., t > 4) it is desirable 
that the inputs to the f-step output function are distinct in as many 
entries as possible (for example, this guarantees many active S'-boxes 
in differential cryptanalysis of the output function). We can achieve 
this goal via letting the next state be the same as when clocking the 
(standard) counter-assisted generator t times (that is, the counter is 
incremented and added to the Xj value every clock). By the isolated 
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equality property, this guarantees that any two t-tuples are distinct in 
at least \t/2\ entries. In this mode of operation, the diversity remains 
maximal as long as k < n/t. 

7.2. Safe transition to new generations of cryptographic func¬ 
tions. A common practice in the design of new generations of crypto¬ 
graphic functions is to double the input and output length. Nowadays, 
we experience the evolution from 64 bit functions (such as DES, RC5, 
etc.) to 128 bit functions (such as the AES candidates [T]). The advan¬ 
tage of old generation functions is that they have gone through years of 
extensive academic research, and are thus well understood. It will take 
a long time to gain similar conhdence in the new generation functions. 

Our two-step counter-assisted mode suggests a natural and straight¬ 
forward way to combine new and old generation functions in a way that 
if either one of them is pseudorandom, then the resulting generator is 
pseudorandom: Assume that / is an old generation function and g is 
a new generation function with double input size. Then we simply use 
the two-step counter-assisted generator {f,g). 

Example 7.9. In Example 17.51 we can use RC6 instead of T*rc 5 oT)rc 50 
Dh^ as the output function. This results in a faster and more elegant 
generator. Here too, the diversity is maximal for all fc = 1,..., 2®^, and 
the generator is difficult to distinguish from random if either DES or 
RC6 is. 

7.3. Cascaded multiple-step counter-assisted generators. If we 

have enough state-space (this is usually the case with software en¬ 
cryption), we can cascade multiple-step counter-assisted generators 
without decreasing the diversity. Consider for example generators 
Go,Gi, ■ ■ ■ ,Gm-i having the same state-space and output-space. For 
any sequence of positive integers to < ti < ... < tm-i, and Latin- 
square operations ..., (on spaces of size to,ti,..., tm -2 blocks, 
respectively), the (to,H, • • • ,tm-i)-step cascade is dehned to be 

^cascade = Gm-l^tm -2 ■ ■ • ' 

In the sense of dehnition [6]4l Here, (a;o,..., (l/o, • • •, Utj-i) is 

dehned as the concatenation of (xq, ..., and ..., 

iVo, ■ ■ • ,2/q-i)- 

Using this notation, we have the following: 

Theorem 7.10. For all generators Go,Gi,... ,Gm-i having the same 
state-space and output-space, and for any Latin-square operations-kto ^ 
(on spaces of size to < ti < ... < tm -2 blocks, respectively), the 
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(^0) ^1) • • • ) tm—l) St6p cascade ^cascade Qm—X ^tm -2 • • • ^tl^l ^to^O hciS 

the following properties: 

(1) ®Gc.scade(^) = k for all k = l,2,...n. 

(2) If either the iteration or the output function of any of the cas¬ 
caded generators is pseudorandom, then the output o/^cascade is 
pseudorandom as well. 

Proof. (1) follows from Theorem 17.21 by induction on m. (2) follows 
readily from Theorem 16.31 □ 

8. Concluding remarks and eurther research 

We have presented a new mode of operation which makes the diver¬ 
sity of every state sequence provably large with a negligible computa¬ 
tional cost. Unlike other solutions, this mode does not introduce new 
(trivial) risks. The well known threat of “no available theory” on the 
cycle structure of complicated iterative generators (see, e.g., [H p. 525], 
[21 p. 22], [IHl §17.6], and [SI p. 347]) is eliminated. It is important to 
stress, however, that the diversity measures only one aspect of security, 
and is clearly not sufficient for evaluating the cryptographical strength 
of the generator. 

Our new mode has various possible implementations via multiple¬ 
stepping and/or cascading, which allow the user a wide range of choice 
to fit the implementation to his constraints and needs. All of the 
suggested modes require a counter, but in most of the applications 
a counter either already exists or is easy to maintain. The cascaded 
mode reduces the provable diversity with respect to the simple counter- 
assisted mode, but it suggests an interesting new way to combine the 
cryptographic strength of several generators. The multiple-stepping 
mode requires a larger state buffer (thus may be more suitable in soft¬ 
ware applications), but assures perfect diversity. 

The cryptographical impact of our modiheation technique when the 
functions f or g are not pseudorandom remains open. It is easy to 
hnd pathological examples of output functions where the modiheation 
makes things worse, but we believe that such pathological cases will be 
easy to inspect. However, if the user wants complete conhdence, then 
he may wish to replace the output function g by one that he trusts. 
In this case, it may be worthwhile to use the generator in the two-step 
mode and gain the maximal possible diversity as in Section [71 

As we have proved, in the multiple-stepping modes it is enough that 
either the iteration or the output function is pseudorandom to obtain 
pseudorandom output. This suggests combining two functions from 
“orthogonal” sources, such as in Example 17.51 and combining strength 
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of well studied primitives with with new, promising ones, as in Example 

rm 

The counter-assisted mode suggests many open problems. Some of 
these problems are mentioned in the paper. To these we can add 
practical problems such as the challenge of Ending a seed s for which 
the counter-assisted generator with DES as the iteration function has 
'^DES{s)ik) ~ y/k for some large fc, and theoretical problems such as 
statistical analysis of the behavior of the state sequence of counter- 
assisted generators. 
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